[Samba] Joining new AD controller to old Samba AD controller

Sun Apr 25 19:49:01 UTC 2021

Rowland,

Thank you for the advice on the failed to commit message. The is a big step
forward for me!

But it does bring me to my next issue on trying to execute a backup on my
new DC. I get a complaint about the RID pool not being initialized and I am
not sure about how best to proceed. 

-+-+-+-+
[root at finch ~]#  samba-tool domain backup offline
--targetdir=/var/lib/samba-ad-dc_backup
The RID pool for this DC is not initalized (e.g. it may be a fairly new DC).
To initialize it, create a temporary user on this DC (you can delete it
later).
ERROR: Cannot create backup - please initialize this DC's RID pool first.
-+-+-+-+

I checked the FSMO roles and RidAllocationMasterRole is still with the
original DC (turtle). For what it is worth, I ran this search on my new DC:

-+-+-+-+
[root at finch ~]# ldbsearch -H /usr/local/samba/private/sam.ldb
'(objectClass=rIDSet)' dn
# record 1
dn: CN=RID Set,CN=FINCH,OU=Domain Controllers,DC=zoo,DC=lan,DC=kitsnet,DC=us

# record 2
dn: CN=RID Set,CN=TURTLE,OU=Domain
Controllers,DC=zoo,DC=lan,DC=kitsnet,DC=us

# Referral
ref:
ldap://zoo.lan.kitsnet.us/CN=Configuration,DC=zoo,DC=lan,DC=kitsnet,DC=us

# Referral
ref:
ldap://zoo.lan.kitsnet.us/DC=DomainDnsZones,DC=zoo,DC=lan,DC=kitsnet,DC=us

# Referral
ref:
ldap://zoo.lan.kitsnet.us/DC=ForestDnsZones,DC=zoo,DC=lan,DC=kitsnet,DC=us

# returned 5 records
# 2 entries
# 3 referrals
-+-+-+-+

Unfortunately, this is not possible on the existing DC since the ldbsearch
command is not available to me there.

I do not get what exactly I am supposed to do at this point since the
message that talks about creating a user on this DC (and only this DC?) is
not making sense to me. 

Could you suggest the safest way to move forward? Is there a trivial
sequence I can execute to get this backup moving along without bifurcating
the AD database on the two DCs? 

-- Peter

-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland penny via
samba
Sent: Sunday, April 25, 2021 3:36 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Joining new AD controller to *old* Samba AD controller

On 25/04/2021 01:33, Peter Smode via samba wrote:
> I am adding another Samba AD controller to my home network, building 
> the new controller (finch) from v4.14.2 source on CentOS 8. The 
> existing (and, up till now, only) AD controller(turtle) is running on 
> CentOS 7 based on v4.8.9. At the time, I thought that using the RPMs 
> from what seemed to be a reliable source would be a good idea. 
> Unfortunately, they changed direction, stopped updating the RPMs and 
> my AD controller ended up getting trapped in time. I'll not be repeating
that mistake.

The problem is/was a gnutls problem, compounded with Centos 8 turning into
Centos stream. Many Centos users appear to be turning away from it and using
other distro's instead, so there isn't the impetus to create Samba packages
for Centos 8. As far as I understand it, Centos 7 will outlive Centos 8.

>   
>
> First step is to get the new AD controller joined in and to be 100% 
> certain I got it right. I need some help here to see if I have got this
much right.
> I did the join and the log *mostly* looks OK, and I can see with 
> samba-tool drs showrepl that replication is successful on both 
> controllers. The only thing giving me concern in the join right now is 
> the error messages in the middle of the output from the join operation:
>
>   
>
> Failed to commit objects: DOS code 0x000021bf
>
> Missing target object - retrying with DRS_GET_TGT

Fairly common, for whatever reason, it couldn't 'commit' some objects, so it
tried another way. If this had failed, it would have failed hard. 
If everything is working as expected, then I wouldn't worry.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba